The present invention is generally directed to the field of security measures for wireless LAN technology. In a wireless local area network (or WLAN) a wireless client seeks to connect to the network in order to exchange data. There are three states in connecting to the network as specified by the IEEE 802.11 specification for WLANs:
1. Unauthenticated and Unassociated
2. Authenticated and Unassociated
3. Authenticated and Associated.
Authentication is the process of verifying the credentials of a client desiring to join a WLAN. Association is the process of associating a client with a given Access Point (AP) in the WLAN. IEEE 802.11 defines two types of authentication methods—Open Key System Authentication and Shared Key Authentication. A successful completion of the association and authentication phases allows a WLAN node successful entry into the WLAN subsystem.
The IEEE 802.11b standard attempts to provide “privacy of a wire” using an optional encryption scheme called “Wired Equivalent Privacy” (or WEP) in which a data frame or “payload” is run through an encryption algorithm, the output of which replaces the original payload. With “open key authentication” the entire authentication process is done in clear text. This means since the entire process is performed without encryption, a client can associate to the AP with the wrong WEP key or no WEP key. But as soon as the client tries to send or receive data it is denied access for not having the correct key to process the packet. With “shared key authentication” there is a challenge text packet that is sent within the authentication process. If the client has the wrong key or no key it will fail this portion of the authentication process and will not be allowed to associate to the AP.
This choice (open or shared key) is manually set on each device (AP and client). There should be a match in the method chosen by the client and the AP for the association to succeed. The default value is for open authentication.
The entire process can be broken down into three phases:
1) Probe Phase
When a client is initialized it first sends a “probe request” packet out on all the channels. The APs that hear this packet will then send a “probe response” packet back to the station. This probe response packet contains information such as SSID (Service Set Identifier), which the client utilizes to determine which AP to continue the association process with.
2) Authentication Phase
After the client determines which AP to continue association process with, it begin the authentication phase based upon the probe response packet. This phase can be performed in either open or shared key mode. The client and the access point both have to be set-up to the same authentication scheme for this phase to be performed properly.
OPEN AUTHENTICATION SCHEME: The client sends an authentication request to the AP. The AP then processes this request and determines (based on the configured policies) whether or not to allow the client to proceed with the association phase. The AP sends an authentication response packet back to the client. Based upon the type of response (pass or fail) from the AP, the client will either continue or discontinue the association process.
SHARED KEY AUTHENTICATION: The client sends an authentication request to the AP. The AP processes this request, generates and sends a challenge text packet to the client. The client is then required to encrypt the packet utilizing its already-configured WEP key and send the packet back up to the AP. The AP then determines if it can decipher the packet correctly. Based upon this test, the AP will send either a pass or fail in the authentication response packet to the client that determines if the client is allowed to continue the association phase or not.
3) Association Phase
When the client successfully completes the authentication phase (for example, receives a successful authentication response packet from the AP), it proceeds to the association phase. The client sends an association request packet to the AP. The AP analyses the information in this packet and if it passes, the AP adds the client to its association table. It then sends an association response packet to the client, which completes the association phase.